Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Spam protection for your models using the excellent and simple textcaptcha service

README.rdoc

ActAsTextcaptcha

Travis Build Status Coverage Status

ActsAsTextcaptcha provides spam protection for your Rails models using logic questions from the excellent Text CAPTCHA web service (by Rob Tuley of Openknot). It is also possible to configure your own text captcha questions (instead, or as a fall back in the event of any remote API issues).

This gem is actively maintained, has good test coverage and is compatible with Rails >= 3.0.0 (including Rails 4). If you have any issues please report them here.

Logic questions from the web service are aimed at a child's age of 7, so they can be solved easily by even the most cognitively impaired users. As they involve human logic, questions cannot be solved by a robot. There are both advantages and disadvantages for using logic questions over image based captchas, find out more at Text CAPTCHA.

Demo

Try a working demo here!

Installing

NOTE: The steps to configure your app changed with the v4.0.* release. If you are having problems please carefully check the steps or upgrade instructions below.

First add the following to your Gemfile, then `bundle install`;

gem 'acts_as_textcaptcha'

Next grab an API key for your website, then add the following code to models you would like to protect;

class Comment < ActiveRecord::Base
  # (this is the simplest way to configure the gem, with an API key only)
  acts_as_textcaptcha :api_key => 'PASTE_YOUR_TEXTCAPTCHA_API_KEY_HERE'
end

Next in your controller's new action you'll want to generate and assign the logic question for the new record, like so;

def new
  @comment = Comment.new
  @comment.textcaptcha
end

Finally, in your form view add the textcaptcha question and answer fields using the textcaptcha_fields helper. Feel free to arrange the HTML within this block as you like;

<%= textcaptcha_fields(f) do %>
  <div class="field">
    <%= f.label :textcaptcha_answer, @comment.textcaptcha_question %><br/>
    <%= f.text_field :textcaptcha_answer, :value => '' %>
  </div>
<% end %>

NOTE: If you'd rather NOT use this helper and would prefer to write your own form view code, see the html produced from the textcaptcha_fields method in the source code.

Upgrading from 3.0.10

Due to a relatively large hole that could allow bots to by-pass textcaptcha's, it was nessecary to re-engineer the gem for the v4.0.* release. Thanks to Jeffrey Lim for spotting this and raising the issue. Upgrading is straightforward;

  • Rename `spam_question` to `textcaptcha_question`

  • Rename `spam_answer` to `textcaptcha_answer`

  • Any strong parameter calls should include the `textcaptcha_answer` and `textcaptcha_key` fields;

    params.require(:comment).permit(:textcaptcha_answer, :textcaptcha_key, ... )

Toggling Textcaptcha

You can toggle textcaptcha on/off for your models by overriding the `perform_textcaptcha?` method. If it returns false, no questions will be fetched from the web service and textcaptcha validation is disabled.

This is useful for writing your own custom logic for toggling spam protection on/off e.g. for logged in users. By default the `perform_textcaptcha?` method checks if the form object is a new (unsaved) record.

So out of the box, spam protection is only enabled for creating new records (not updating). Here is a typical example showing how to overwrite the `perform_textcaptcha?` method, while maintaining the new record check.

class Comment < ActiveRecord::Base
  acts_as_textcaptcha :api_key => 'YOUR_TEXTCAPTCHA_API_KEY'

  def perform_textcaptcha?
    super && user.admin?
  end
end

More configuration options

You can configure acts_as_textcaptcha with the following options;

  • api_key (required) - get a free key from textcaptcha.com/api

  • questions (optional) - array of question and answer hashes (see below) A random question from this array will be asked if the web service fails OR if no API key has been set. Multiple answers to the same question are comma separated (e.g. 2,two). So do not use commas in your answers!

  • cache_expiry_minutes (optional) - minutes for answers to persist in the cache (default 10 minutes), see below for details

  • http_read_timeout (optional) - Net::HTTP option, seconds to wait for one block to be read from the remote API

  • http_open_timeout (optional) - Net::HTTP option, seconds to wait for the connection to open to the remote API

For example;

class Comment < ActiveRecord::Base
  acts_as_textcaptcha :api_key              => 'YOUR_TEXTCAPTCHA_API_KEY',
                      :http_read_timeout    => 60,
                      :http_read_timeout    => 10,
                      :cache_expiry_minutes => 10,
                      :questions            => [{ 'question' => '1+1', 'answers' => '2,two' },
                                                { 'question' => 'The green hat is what color?', 'answers' => 'green' }]
end

YAML config

The gem can be configured for models individually (as shown above) or with a config/textcaptcha.yml file. The config file must have an api_key defined and optional array of questions. Options definied inline in model classes take preference over the configuration in textcaptcha.yml. The gem comes with a handy rake task to copy over a textcaptcha.yml template to your config directory;

rake textcaptcha:config

Confguring without the TextCAPTCHA web service

To use only your own logic questions, simply ommit the api_key from the configuration and define at least 1 logic question and answer (see above).

Translations

The gem uses the standard Rails I18n translation approach (with a fall-back to English). Unfortunately at present, the Text CAPTCHA web service only provides logic questions in English.

en:
  activerecord:
    errors:
      models:
        comment:
          attributes:
            textcaptcha_answer:
              incorrect: "is incorrect, try another question instead"
              expired: "was not submitted quickly enough, try another question instead"
  activemodel:
    attributes:
      comment:
        textcaptcha_answer: "Textcaptcha answer"

Without Rails or ActiveRecord

Although this gem has been built with Rails in mind, is entirely possible to use it without ActiveRecord, or Rails. As an example, take a look at the Contact model used in the test suite here.

Please note that the built-in TextcaptchaCache class directly wraps the Rails.cache. An alternative TextcaptchaCache implementation will be nessecary if Rails.cache is not available.

Testing and docs

In development you can run the tests and rdoc tasks like so;

  • rake test (all tests)

  • rake test:coverage (all tests with code coverage)

  • rake rdoc (generate docs)

What does the code do?

The gem contains two parts, a module for your ActiveRecord models, and a single view helper method. The ActiveRecord module makes use of two futher classes, TextcaptchaApi and TextcaptchaCache.

A call to @model.textcaptcha in your controller will query the Text CAPTCHA web service. A GET request is made with Net::HTTP and parsed using the default Rails ActiveSupport::XMLMini backend. A textcaptcha_question and a random cache key is assigned to the record. An array of possible answers is stored in the TextcaptchaCache with this random key. The cached answers have (by default) a 10 minute TTL in your cache. If your forms take more than 10 minutes to be completed you can adjust this value setting the `cache_expiry_minutes` option. Internally TextcaptchaCache wraps Rails.cache and all cache keys are namespaced.

On saving, validate_textcaptcha is called on @model.validate checking that the @model.textcaptcha_answer matches one of the possible answers (retrieved from the cache). By default, this validation is only carried out on new records, i.e. never on edit, only on create. All attempted answers are case-insensitive and have trailing/leading white-space removed.

Regardless of a correct, or incorrect answer the possible answers are cleared from the cache and a new random key is generated and assigned. An incorrect answer will cause a new question to be prompted. After one correct answer, the answer and a mutating key are sent on further form requests, and no question is presented in the form.

If an error or timeout occurs during API fetching, ActsAsTextcaptcha will fall back to choose a random logic question defined in your options (see above). If the web service fails or no API key is specified AND no alternate questions are configured, the @model will not require textcaptcha checking and will pass as valid.

For more details on the code please check the documentation. Tests are written with MiniTest. Pull requests and bug reports are welcome.

Requirements

What do you need?

  • Rails >= 3.0.0 (including Rails 4)

  • Rails.cache - some basic cache configuration is nessecary

  • Ruby >= 1.8.7 (also tested with REE, 1.9.2, 1.9.3, 2.0.0, 2.1.0)

  • Text CAPTCHA API key (optional, since you can define your own logic questions)

  • MiniTest (optional if you want to run the tests, built into Ruby 1.9)

  • SimpleCov (optional if you want to run the tests with code coverage reporting)

Note: The built-in TextcaptchaCache class directly wraps the Rails.cache object.

Rails 2 support

Support for Rails 2 was dropped with the release of v4.1.0. If you would like to continue to use this gem with an older version of Rails (>= 2.3.8), please lock the version to `4.0.0`. Like so;

# in your Gemfile
gem 'acts_as_textcaptcha', '=4.0.0'

# or in environment.rb
config.gem 'acts_as_textcaptcha', :version => '=4.0.0'

Check out the README for this release for more information.

Links

Who's who?

Usage

This gem is used in a number of production websites and apps. It was originally extracted from code developed for Bugle. If you're happily using acts_as_textcaptcha in production, let me know and I'll add you to this list!

Something went wrong with that request. Please try again.